To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/protectingid/0,3800002220,39119222,00.htm

Security no worse than in 2002, says report
But is that good news or bad news?

By Robert Lemos

Published: Tuesday 16 March 2004

The number of public alerts about software security flaws leveled off over the last six months, but worms continue to threaten the internet, according to a report security company Symantec released Monday.

In 2003, information on 2,636 security vulnerabilities was released to the public, according to Symantec's biannual Internet Security Threat Report. That's an increase of only two per cent from the 2,587 vulnerabilities disclosed by companies and security researchers in 2002, said Alfred Huger, senior director of engineering for Symantec. From 2001 to 2002, there was an 81 per cent increase, Huger said.

"This is the first year that we have seen the disclosure of vulnerabilities level off," he said.

The report affirms a trend found in data from the Computer Emergency Response Team Coordination Center: the 3,784 vulnerabilities reported to the organisation last year decreased eight per cent from the 4,129 flaws found in 2002.

The trend could be an indication that software development is getting better and that programmers are learning how to avoid the most common security missteps. Another factor is that security researchers are increasingly giving software companies a chance to fix the flaws before public alerts are sent out, which can delay the alerts.

"More people are working with vendors to patch these issues and that takes more time," Symantec's Huger said. For example, Microsoft took more than six months to produce a fix for several recent Windows vulnerabilities.

However, the drop may have been influenced by another, not so positive, factor, Huger said. More researchers may be failing to report new flaws. "Good" security researchers could be keeping information on a given flaw to themselves as a competitive advantage, or malicious researchers could be keeping quiet so that they can use the flaw in an attack.

Much of Symantec's report is based on data submitted from more than 20,000 internet devices owned by clients or affiliates. The data shows that 43 per cent of attacks were due to worms. Another 40 per cent constituted probes, not necessarily malicious, of systems vulnerable to specific problems. The remaining 17 per cent of attacks were intrusion attempts that weren't caused by worms.

The MSBlast, or Blaster, worm accounted for nearly a third of all attacking computers detected by Symantec's sensor network in the last six months, the report said, but it was responsible for only about two per cent of attacks. That's because a single computer can be used in several attacks, and other worms took greater advantage of this. The very efficient Microsoft SQL Slammer worm, for example, accounted for more than a quarter of total attacks detected, with only 2.4 per cent of attacking computers.

The Code Red and Nimda worms - both more than two years old - are also still spreading around the internet, the report found.

Another trend appears to be that attackers are increasingly targeting previously compromised computers and taking advantage of the backdoors left by successful worm and virus attacks. The latest viruses - including the MyDoom, Sobig and Bagel viruses - leave behind a secret entry point into any system that has been infected by the programs. Increasingly, intruders are checking for those backdoors first.

"It is almost like it has created a different dimension to the underground exploitation of the internet," Symantec's Huger said. "There are a whole bunch of 'properties' out there that are freely available to groups to take advantage of."

Robert Lemos writes for CNET News.com